SSL related problems

I did follow the Suse 10 howto to the letter to the best of my ability when I installed ISPConfig. I then set-up a virtual site once I felt it was running correctly, I used openssl to create my crt and key files using the directions provided by the supplier of my CA certificate. I then went into ISPConfig and configured the SSL using the certificates I got from the CA I am using.Then I made sure the Vhosts_ispconfig.conf file was pointing to the corrrect certificate files. I was trying to follow a solution posted on this forum.
I had trouble using an upload fuction after I created the original site and I did add the PHP configuration setting in the Vhosts_ispconfig.conf file manually. Now I know how to do it using ISPConfig so I will not have to do that in the future.
If the Vhosts_ispconfig.conf file is correct what else does apache use to provide SSL service for a web site? I am using one IP address and apparently apache can see the http side of the site (www.amg01.info) because my remote testers are using that address now. I have another Fedora site set up and SSL is working there, so I have compared things and they seem to be the same. The Fedora site was setup prior to Suse 10 release and my knowing about ISPConfig. I would like to replace the Fedora server with anothe Suse/ISPConfig setup as soon as I can figure out this problem.

I did follow the Suse 10 howto to the letter to the best of my ability when I installed ISPConfig. I then set-up a virtual site once I felt it was running correctly, I used openssl to create my crt and key files using the directions provided by the supplier of my CA certificate. I then went into ISPConfig and configured the SSL using the certificates I got from the CA I am using.Then I made sure the Vhosts_ispconfig.conf file was pointing to the corrrect certificate files. I was trying to follow a solution posted on this forum.
I had trouble using an upload fuction after I created the original site and I did add the PHP configuration setting in the Vhosts_ispconfig.conf file manually. Now I know how to do it using ISPConfig so I will not have to do that in the future.
If the Vhosts_ispconfig.conf file is correct what else does apache use to provide SSL service for a web site? I am using one IP address and apparently apache can see the http side of the site (www.amg01.info) because my remote testers are using that address now. I have another Fedora site set up and SSL is working there, so I have compared things and they seem to be the same. The Fedora site was setup prior to Suse 10 release and my knowing about ISPConfig. I would like to replace the Fedora server with anothe Suse/ISPConfig setup as soon as I can figure out this problem.

Click to expand...

Ok this explains the problems. You created the SSL certificate wrong. You dont have to create the SSL cert manually and you dont have to change anything in the vhost configuration file manually. If you do so, the system might fail like in your case. All changes you made manually in the Vhosts_ispconfig.conf will be overridden by the system when you change anything in ISPConfig.

1) Remove anything SSL related you configured manually.

In Ispconfig:

2) Enable the SSL checkbox in the web you need SSL encryption and save the the website.
3) Open the site again, there you will find an SSL tab. Fill out the fields and leave the SSL certificate and certificate request fields empty. Select "Create certificate" in the action field and hit safe. ISPConfig creates now a certificate request and self signed certificate with the appropriete settings, that can take up to 1 - 2 minutes. When you open the ssl tab again, you find there the certificate request that you can use to get a signed certificate for your domain from an SSL authority. When you got the SSL cert from the authority, you can replace the certificate shown on the SSL tab and select save as action.

Thanks guys for th insight inside this thread. It answeredmost all of my questions on how to use ISPConfig to work with the sertificates.

One further question. FYI, I used the perfect setup for Debian Sarge. I have heard that you can create your own CA functionality on this system. What are the pros and cons in setting up your own CA? I am completely new to CA and SSL, so bare with me.

One further question. FYI, I used the perfect setup for Debian Sarge. I have heard that you can create your own CA functionality on this system. What are the pros and cons in setting up your own CA? I am completely new to CA and SSL, so bare with me.

Click to expand...

I don't see any advantage in being your own CA, because whenever someone visits a site with an SSL cert from your own CA, a warning will pop up in the user's browser...

ctroyp said:

Furthermore, can someone recommend a low $ CA that is reputible?

Click to expand...

I've always used InstantSSL ( www.instantssl.com ), never had problems with them. They used to be very cheap, but they've increased their prices now , but they are still among the cheapest.
Other CAs are Verisign, Thawte, Geotrust, Entrust, and RapidSSL.

Well I am feeling pretty stupid because, I may have painted myself into a corner. I was trying to add the PHP specific code to the site I had, prior to looking at redoing the SSL Certificate as you indicated. Thus avoiding any manual intervention as preferred, to make a long story short I must have made a mistake, the site disappeared and now I cannot create it again because I get this error message. “The name www.amg01.info is already in use by another site or domain.” There is no other site on this system.

How can I recover from this error?
Is there any graceful way?
Should I uninstall ISPConfig and reinstall?
If uninstalling ISPConfig is recommended would the partial deinstallation be preferred if I am going to recreate this site?

Also, according to the directions from my CA, I must install an intermediate certificate prior to installing the Web Server SSL Certificate. Thus creating a chain from a trusted root CA, through an intermediate certificate and ending with a Web Server SSL Certificate issued to me. This seems to add another step which your solution did not seem to address. Since I already have the certificate, I was trying to use the solution presented to theduke on the forum “REAL SSL Cert install problems thread.” Would this have been appropriate?

I don't see any advantage in being your own CA, because whenever someone visits a site with an SSL cert from your own CA, a warning will pop up in the user's browser...

I've always used InstantSSL ( www.instantssl.com ), never had problems with them. They used to be very cheap, but they've increased their prices now , but they are still among the cheapest.
Other CAs are Verisign, Thawte, Geotrust, Entrust, and RapidSSL.

Well I am feeling pretty stupid because, I may have painted myself into a corner. I was trying to add the PHP specific code to the site I had, prior to looking at redoing the SSL Certificate as you indicated. Thus avoiding any manual intervention as preferred, to make a long story short I must have made a mistake, the site disappeared and now I cannot create it again because I get this error message. “The name www.amg01.info is already in use by another site or domain.” There is no other site on this system.

Click to expand...

Have you tried ISPConfig's search function to find a site with this name? Did you have a look into the recycle bins?

senzapaura said:

Also, according to the directions from my CA, I must install an intermediate certificate prior to installing the Web Server SSL Certificate. Thus creating a chain from a trusted root CA, through an intermediate certificate and ending with a Web Server SSL Certificate issued to me. This seems to add another step which your solution did not seem to address. Since I already have the certificate, I was trying to use the solution presented to theduke on the forum “REAL SSL Cert install problems thread.” Would this have been appropriate?

Click to expand...

I also had to install an intermediate certificate from InstantSSL.com. This is how I did it:

Apparently I did not look in all the recycle bins. I was able to recover the site from one of them. In fact the good news is I now have everything going through ISPConfig, including the PHP directives. The only manual changes I have made are those Falko recommended when using an intermediate certificate. I am using apache2 so I had to make the appropriate change to the path. The bad news is it is still not working; I cannot get to the https side of this site. Despite this problem I think I am making some headway. For sure I am beginning to see the light and think I understand things a bit more.

After I made all the suggested changes, when I restart apache I am no longer asked for my passphrase even though I am using all the same certificates. In particular the one I created with a passphrase for this site. I am not sure if ISPConfig has changed anything or not. When I was applying for the certificate I did not get the option to say no to the passphrase unlike when I was installing ISPConfig.

The following are the directions from Starfield Technologies the company I purchase the SSL certificates from.
=================
INSTALLATION INSTRUCTIONS - APACHE 2.X
Installing Your Web Server Certificate and the Intermediate Certificate:
- Copy your issued certificate, intermediate certificate and key file (generated when you created the Certificate Signing Request (CSR)) into the directory that you will be using to hold your certificates.
- Open the Apache ssl.conf file and add the following directives:

Since I cannot make this work with the certificate and key files I have. Maybe I should start all over again. I can reissue the certificates, but I am not sure how to do this using ISPConfig. Since this is a reissue, will the steps outlined on page 62-63 of the manual work. And where or when do I make use of the intermediate certificate and change the httpd.conf file as indicated by Falko. I am also assuming that Falko meant to cp the sf_config.crt file (intermediate file returned by Starfield) to the file ca-bundle.crt.

I guess the other option is to continue trying to make the existing certificates work, anymore suggestions?

I just went through the process of adding SSL support to my site, using a cert I bought from godaddy. Everything works fine with ISPConfig in this respect, but I ran into trouble using the SSLChainFile supplied by godaddy. ISPConfig does not support ChainFiles directly, but you can easily add support on a site by site basis by adding a reference to it in the Apache Directives textarea within the ISPConfig control panel.

First, upload the Chain file to the ssl folder of your website. Next, add a reference to it in the Apache Directives field. In my case, this was:

After following all the directions, I believe I have the SSL certificate installed properly. I cannot access the site via https://www.amg01.info/, but I can access the site via https://192.168.6.179/ which is the internal IP address. It goes into secure mode and the security alert window indicates it is a good certificate and the date is good, but the name is not correct which is what you would expect. I think this means I have the certificate loaded OK through ISPConfig. Unfortunately since I still cannot access the site via the name, I am at a lost as to how to proceed. Any advice?

Also somehow in trying to "fix" the SSL problem I now have ISPConfig displaying four additional security alert screens. I can still get in OK and it seems to work, except all the pop help icons pop up a new log in screen for ISPConfig and it is a bit of a pain clicking on four additional security alert screens. How can I fix this problem?

I am not sure I am interpreting the logs properly. In some cases it looks like it is seeing a problem, but provides no more information than I already know, namely it cannot find the site.
I am thinking that maybe my configuration problems is not in the SSL set-up, but I am not sure?

Can you try again with another browser than Internet Explorer, e.g. Firefox?
Internet Explorer has some difficulties with SSL, so you'd have to put special directives into your Apache configuration to get it to work with IE.

I am also testing with firefox on a Suse10 Linux platform. The error message from firefox indicates it is timing out. Since most of the potential users of the web site I am trying to host will be using IE. I guess I need to look into the changes you mentioned.

After trying to access it from both IE and firefox some of the log files had changed so I am pasting the last 20 lines of each.

Realizing that this is my problem and having no one to talk this over with locally. I would like to briefly describe how I think things are supposed to work and see if I understand the environment. It is my belief that you must have an understanding of how the environment works to formulate an approach to debugging the problem. I would appreciate your comments. The following is my understanding:

1.) ISPConfig uses a “special” version of the apache software enabling a GUI front end for administering an ISP hosting service. The GUI is used to dynamically change the apache hosted web server configuration, making it easier to implement, track and manage the web services using apache.

2.) I am assuming that as a hosting service I can have any number of virtual hosts (depending on the server size) an each can use its own SSL certificate.

3.) SSL is part of an encryption protocol used to secure data being transmitted between the browser and a web hosting system.

4.) Without getting into all the details of the handshaking etc. required and enforced by SSL, but just describing some key elements and concepts.

a. An SSL certificate is bound to a domain name. For example, I have a domain named xxyy.com pointing to an IP address 24.10.123.30. Access to this domain name, www.xxyy.com routes the messages to my firewall. The SSL has my domain name within the certificate to verify I am who I am supposed to be. My firewall is listening on port 24.10.123.30. Once the firewall recognizes the messages it route them across my local network to IP address 193.168.25.21. This is the web server used to process requests from the external IP address 24.1.123.30.
b. Apache services running on 193.168.25.21 receives the message and determines the web site document location using the virtual host configuration. The virtual hosts can be named by an IP number (this can be a virtual IP address like 193.168.25.25 using this example) or a named host using the same external domain name xxyy.com for the named virtual host.
c. If the virtual host is defined to be listening on port 443 and has within its’ virtual host configuration, paths to the proper certification files, then the SSL modules within apache, (normally mod_ssl) are used to encrypt and decrypt the data. Prior to these functions it verifies the domain name registered within the certificate among other things. I am thinking this domain name should match the named virtual host name. If not it displays an alert message on the browser indicating one of three reasons there may be a problem using this certificate. It could be a bad CA, bad date or the domain name in the certificate does not match the domain name for the virtual host. A match allows it to proceed to the https page address requested by the browser using the path described in the configuration file for the web site documents without an alert message, just an initial message indicating you are using secure mode.
d. The domain name on the hosting web server should not have to be the same as the requested domain by the browser client. Otherwise an ISP would need a separate machine for every external domain serviced. This does not seem reasonable to me.

5.) For some reason, probably a configuration problem, apache cannot find the site by name. It gives me a time out message to the affect that it cannot find the requested page.

6.) However on the local network I can access https pages using the local network IP address. It finds the certificate and allows me to accept it even though the name does not match the IP address. It displays the normal alert indicating a valid CA with a valid date, but the wrong domain. I believe this to be correct since the IP address is not the domain name on the certificate. It them proceeds to deliver the pages. Because the internal IP address enables apache to find the SSL files from the virtual host configuration, the problem does not appear to be the installation of the SSL

7.) When you define the virtual server by name and indicate the virtual domain in the configuration file. Even if the SSL had the incorrect domain name I believe it should still be accessed and the appropriate alert should be displayed, similar to the display presented when the local IP address is used to access the site. This does not happen, instead the browser indicates it has timed out because the page is not accessible.

Can you elaborate on where I may be in error with my assumptions? Surely ISPs are not using one physical machine per client. And most allow the client to add SSL capability. I am not sure where I am going wrong. Any feed back would be appreciated.

1.) ISPConfig uses a “special” version of the apache software enabling a GUI front end for administering an ISP hosting service. The GUI is used to dynamically change the apache hosted web server configuration, making it easier to implement, track and manage the web services using apache.

Click to expand...

Yes. But its not a special version of apache, its a normal apache webserver compiled from sources that runs on port 81.

2.) I am assuming that as a hosting service I can have any number of virtual hosts (depending on the server size)

Click to expand...

yes. even with only one IP address.

an each can use its own SSL certificate.

Click to expand...

Yes, if you have different IP addresses for every site. This is a limit of the apache webserver, every vhost that uses SSL must have a unique IP address.

3.) SSL is part of an encryption protocol used to secure data being transmitted between the browser and a web hosting system.

Click to expand...

Yes, SSL is an encryption protocol.

4.) Without getting into all the details of the handshaking etc. required and enforced by SSL, but just describing some key elements and concepts.

a. An SSL certificate is bound to a domain name. For example, I have a domain named xxyy.com pointing to an IP address 24.10.123.30. Access to this domain name, www.xxyy.com routes the messages to my firewall. The SSL has my domain name within the certificate to verify I am who I am supposed to be. My firewall is listening on port 24.10.123.30. Once the firewall recognizes the messages it route them across my local network to IP address 193.168.25.21. This is the web server used to process requests from the external IP address 24.1.123.30.
b. Apache services running on 193.168.25.21 receives the message and determines the web site document location using the virtual host configuration. The virtual hosts can be named by an IP number (this can be a virtual IP address like 193.168.25.25 using this example) or a named host using the same external domain name xxyy.com for the named virtual host.
c. If the virtual host is defined to be listening on port 443 and has within its’ virtual host configuration, paths to the proper certification files, then the SSL modules within apache, (normally mod_ssl) are used to encrypt and decrypt the data. Prior to these functions it verifies the domain name registered within the certificate among other things. I am thinking this domain name should match the named virtual host name. If not it displays an alert message on the browser indicating one of three reasons there may be a problem using this certificate. It could be a bad CA, bad date or the domain name in the certificate does not match the domain name for the virtual host. A match allows it to proceed to the https page address requested by the browser using the path described in the configuration file for the web site documents without an alert message, just an initial message indicating you are using secure mode.
d. The domain name on the hosting web server should not have to be the same as the requested domain by the browser client. Otherwise an ISP would need a separate machine for every external domain serviced. This does not seem reasonable to me.

Click to expand...

Generally it is like you described, with the limitation that you need one IP per ssl encrypted vhosts

5.) For some reason, probably a configuration problem, apache cannot find the site by name. It gives me a time out message to the affect that it cannot find the requested page.

Click to expand...

Are you sure the domain points to your external IP address and you forwarded port 80 and 443 to your internal server IP? The apache vhost must be created with this internal IP where you forwarded the ports from your router to.

6.) However on the local network I can access https pages using the local network IP address. It finds the certificate and allows me to accept it even though the name does not match the IP address. It displays the normal alert indicating a valid CA with a valid date, but the wrong domain. I believe this to be correct since the IP address is not the domain name on the certificate. It them proceeds to deliver the pages. Because the internal IP address enables apache to find the SSL files from the virtual host configuration, the problem does not appear to be the installation of the SSL

Click to expand...

ISPConfig uses only namebased vhsosts. You have to use the domain and not the IP to access them.

7.) When you define the virtual server by name and indicate the virtual domain in the configuration file. Even if the SSL had the incorrect domain name I believe it should still be accessed and the appropriate alert should be displayed, similar to the display presented when the local IP address is used to access the site. This does not happen, instead the browser indicates it has timed out because the page is not accessible.

Click to expand...

No, only if you access the vhost by domian, not IP.

Can you elaborate on where I may be in error with my assumptions? Surely ISPs are not using one physical machine per client. And most allow the client to add SSL capability. I am not sure where I am going wrong. Any feed back would be appreciated.

Click to expand...

I think your problem is that you try to access sites by IP instead of using a domain that is correctly configured in DNS and pointing with its A-Record to the external IP address of yourrouter.